diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index 3d904ad1e0bb..ffee51df0df1 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -210,9 +210,10 @@ function htmlParser( html, handler ) { // Comment if ( html.indexOf(""); + // comments containing -- are not allowed unless they terminate the comment + index = html.indexOf("--", 4); - if ( index >= 0 ) { + if ( index >= 0 && html.lastIndexOf("-->", index) === index) { if (handler.comment) handler.comment( html.substring( 4, index ) ); html = html.substring( index + 3 ); chars = false; diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js index f97e86a63768..ae1271f09b52 100644 --- a/test/ngSanitize/sanitizeSpec.js +++ b/test/ngSanitize/sanitizeSpec.js @@ -15,7 +15,7 @@ describe('HTML', function() { describe('htmlParser', function() { if (angular.isUndefined(window.htmlParser)) return; - var handler, start, text; + var handler, start, text, comment; beforeEach(function() { handler = { start: function(tag, attrs, unary){ @@ -35,10 +35,42 @@ describe('HTML', function() { }, end:function(tag) { expect(tag).toEqual(start.tag); + }, + comment:function(comment_) { + comment = comment_; } }; }); + it('should parse comments', function() { + htmlParser('', handler); + expect(comment).toEqual('FOOBAR'); + }); + + it('should throw an exception for invalid comments', function() { + var caught=false; + try { + htmlParser('', handler); + } + catch (ex) { + caught = true; + // expected an exception due to a bad parse + } + expect(caught).toBe(true); + }); + + it('double-dashes are not allowed in a comment', function() { + var caught=false; + try { + htmlParser('', handler); + } + catch (ex) { + caught = true; + // expected an exception due to a bad parse + } + expect(caught).toBe(true); + }); + it('should parse basic format', function() { htmlParser('text', handler); expect(start).toEqual({tag:'tag', attrs:{attr:'value'}, unary:false});